Splunk Enterprise

Why do you install some TA's on searchheads only and some on heavy forwarders?

horsefez
SplunkTrust
SplunkTrust

Hi fellow splunkers,

today I decided to install the following splunkbase TA for Cisco IOS in my environment.
https://splunkbase.splunk.com/app/1467/#/details

Without looking into the docs I prematurely installed it on my heavy forwarder instance. It didn't work there. After consulting the docs, it said that this addon needed to be installed on the searchheads to function properly.

I looked into props and transforms conf of the app and noticed lots of sourcetype-rewriting and such. I'm wondering why this TA does not work on HF's. I did sourcetype rewriting on HF's before.


Can someone tell me why certain addons won't work on HF's and do work on SH's and vice versa?
Is there a way do distinguish these apps, without necessarily looking into the docs?

Kind regards,
pyro_wood

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

so first, you should always read the documentation. Each App/Add-on has different instructions with different setup procedures based on the data. It all depends on where the data is received. If the HF has the syslog for Cisco IOS, then yes it should go there. If the Indexers receive the Cisco data, then the TA goes there. This TA also includes lookups, so it needs to be on a search head as well. Of Note: There is no modular input here. So the usual "Mod inputs to a HF" doesn't apply. However, the instructions mention the use of syslog. You should not receive syslog directly into Splunk. Please review http://www.georgestarcher.com/splunk-success-with-syslog/ .

This TA also includes a limits.conf (which also is not a best practice).

TL;DR: ALWAYS READ DOCUMENTATION. If you do not, you open yourself up to potentially data loss, misconfigurations, or other unwanted data parsing.

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

so first, you should always read the documentation. Each App/Add-on has different instructions with different setup procedures based on the data. It all depends on where the data is received. If the HF has the syslog for Cisco IOS, then yes it should go there. If the Indexers receive the Cisco data, then the TA goes there. This TA also includes lookups, so it needs to be on a search head as well. Of Note: There is no modular input here. So the usual "Mod inputs to a HF" doesn't apply. However, the instructions mention the use of syslog. You should not receive syslog directly into Splunk. Please review http://www.georgestarcher.com/splunk-success-with-syslog/ .

This TA also includes a limits.conf (which also is not a best practice).

TL;DR: ALWAYS READ DOCUMENTATION. If you do not, you open yourself up to potentially data loss, misconfigurations, or other unwanted data parsing.

horsefez
SplunkTrust
SplunkTrust

Hi alacercogiatatus,
thanks for your answer. I wasn't aware that lookups only work with searchheads.
I will read the article as well. Thanks!

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...